dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2561
Expand your moderator at work
System

to got_milk2

Anon

to got_milk2

(topic move) High DNS Traffic on Router

Moderator Action
The post that was here (and all 7 followups to it), has been moved to a new topic .. »High DNS Traffic on Router
OHSrob
join:2011-06-08

OHSrob to 34764170

Member

to 34764170

Re: High DNS Traffic on Router

said by 34764170:

said by OHSrob:

Fair enough I may be incorrect my professor in college had referred to fake requests on a DNS server from a spoofed address for traffic amplification purposes as a type of smurf attack.

It looks like this may be happening here.

A smurf attack is a name for a particular type of attack that involves sending spoofed ICMP packets towards the broadcast address.

The behavior as mentioned by the OP sounds like what is called a DNS amplification attack.

Thank you for the correction I will remember this.

cybersaga
join:2011-12-19
Selby, ON

cybersaga

Member

Thanks to the mods for cleaning up this thread.

I changed my router's MAC yesterday and got a new IP assigned. I'm working from home again today, so we'll see how it goes.

Sandroid
BSD geek
Premium Member
join:2002-08-08
Anjou, QC

Sandroid to Privateeye

Premium Member

to Privateeye
said by Privateeye :

said by cybersaga:

said by Privateeye :

TCPdump is for sniffing wireless

Well I know that is not correct, since I used it on my wan interface and it did indeed capture traffic, including traffic that originated from my one computer that's wired.

It can capture wired packets, but it is mainly for wireless sniffing for Data. You just miss the point if that's all you get hung up on. That's not the right tool for the job.

Use syslog, not a sniffing program. That's what it was made for. It will give you the info you need without needing to capture huge amounts of data in a certain time frame and hope your problem happens in that time frame. Syslog can just monitor 24/7.

If you don't know how to mount jffs, I don't think OpenWrt is the right firmware for you honestly.

God only knows what directories you chmod'ed and left open for the mischievous DNS poisoner....lol

Wow - all kinds of wrong... Cybersaga, please disregard what he's saying... he clearly has limited knowledge on this. You were on the right track to look at network data to figure out what's happening.

@"privateeye": Not only does tcpdump predate wifi, tcpdump is always the right tool for the job, whenever you're trying to figure out behavior of either the network, or applications running on it. Please be more responsible handing out "advice" on the internet. You're in no position to chastise someone for not knowing how to mount an obscure, limited-scope file system... you should ensure you've earned the right to do so first. Syslog was made to provide the user exactly what happened here, notification of something wrong. As for your DNS poisoning remark... you may want to lookup DNS poisoning. Privileged file access not required. Your post value: 0.

@Cybersaga: You should certainly take a look at how OpenWRT is setup. But, if reviewing config and running services doesn't provide you with insight, and you need assistance with analyzing tcpdump output to resolve this, PM me. I develop for an enterprise monitoring tool based on network sniffing, so I'd like to think I'm better placed to provide assistance here. Remember though, DNS is UDP, and tcpdump will do lookups by default too, so you'll need appropriate switches on tcpdump... something like this:

tcpdump -i $ifname -n -l -s 20 udp port 53

•The -n prevents host lookups, which would just pollute this.
•The -l ensures you get a new line for each packet, so that effectively each query and response is on a new line, makes it easier to read if you're pushing to stdout. Alternatively, specify -w to dump into a file. You can later replay it with -r, or use wireshark
•-s 20 is because you don't need much of the payload. In fact, I'm pretty sure you can get away with -s 0 here, but i'm just not sure.
•Finally the filter is self-explanatory.

cybersaga
join:2011-12-19
Selby, ON

cybersaga

Member

I think what he was trying to say (without actually saying it) is that tcpdump will monitor traffic, but not necessarily tell me why the router is rebooting. Syslog may tell me why it's rebooting (like "aagghhh, I can't keep up with all the connections, omg!!").

But anyway, I changed my IP last night, and it's been solid all day today.
Expand your moderator at work

Privateeye
@start.ca

Privateeye to cybersaga

Anon

to cybersaga

Re: High DNS Traffic on Router

said by cybersaga:

I think what he was trying to say (without actually saying it) is that tcpdump will monitor traffic, but not necessarily tell me why the router is rebooting. Syslog may tell me why it's rebooting (like "aagghhh, I can't keep up with all the connections, omg!!").

But anyway, I changed my IP last night, and it's been solid all day today.

Syslog will display low level hardware messages all the way up to firewall packet states (accepted, rejected, etc..) That's why it's the right tool for the job in this case because it will not bother capturing useless data in a certain time frame.

It just logs 24/7 in the background and if you have a problem you can check exactly what happened and any errors or unusual traffic in the logs according to the time frame you know the problem started. You can set Syslog to save logs for as long as you want 1 day or years. Having helped in the development of WRT firmwares in the past, this is the first thing any competent developer will ask for when diagnosing a crash and logging bug reports.